Introduction to the Lifecycle Penetration
Most people assume that all a penetration tester, or hacker, needs to do is sit down in front of a computer and begin typing an obscure string of code and voila any computer in the world is instantly opened. This stereotype based in Hollywood legend is far from the truth. Professionals in this field are very meticulous in the approach used when to uncovering and exploiting vulnerabilities in computer systems. O ver time a proven framework has emerged that is used by professional ethical hackers. The four phases of
this framework guide the penetration tester through the process of empirically exploiting
information systems in a way that results in a well-documented report that can be used if needed to repeat portions of the testing engagement. This process not only provides a structure for the tester but also is used to develop high-level plans for penetration testing activities. Each phase builds on the previous step and provides detail to the step that follows. While the process is sequential, many testers return to earlier phases to clarify
discoveries and validate findings.
this framework guide the penetration tester through the process of empirically exploiting
information systems in a way that results in a well-documented report that can be used if needed to repeat portions of the testing engagement. This process not only provides a structure for the tester but also is used to develop high-level plans for penetration testing activities. Each phase builds on the previous step and provides detail to the step that follows. While the process is sequential, many testers return to earlier phases to clarify
discoveries and validate findings.
The first four steps in the process have been clearly defined by Patrick Engebretson in his book The Basics of H acking and Penetration Testing . These steps are Reconnaissance, Scanning, Exploitation, and Maintaining A ccess.
This book uses these same steps but expands Patrick’s work with an additional step Reporting. A dditionally, when compared to the five phase process defined by EC-Council in its popular Certified Ethical Hacking
(C|EH) course, many may notice the final phase of that process, Covering Tracks, is missing. This was done intentionally to focus on the earlier phases and include a chapter on reporting, a topic that is omi ed from many books on this topic. This book also differentiates from the earlier book by removing the cyclic illustration of the lifecycle and replacing it with a more linear visualization illustration that matches what an ethical hacker would normally encounter in a normal engagement. This would begin with reconnaissance of the target information system and end with the penetration tester or
test team lead briefing the information systems leadership and presenting the report ofFIGURE 5.1
(C|EH) course, many may notice the final phase of that process, Covering Tracks, is missing. This was done intentionally to focus on the earlier phases and include a chapter on reporting, a topic that is omi ed from many books on this topic. This book also differentiates from the earlier book by removing the cyclic illustration of the lifecycle and replacing it with a more linear visualization illustration that matches what an ethical hacker would normally encounter in a normal engagement. This would begin with reconnaissance of the target information system and end with the penetration tester or
test team lead briefing the information systems leadership and presenting the report ofFIGURE 5.1
The penetration testing life-cycle.
A basic view of each of the phases will be drawn out in this chapter and a more extensive description will be made in the chapters devoted to each phase. I n addition to the description common tools for each phase will be introduced in the coming chapters.
I n this way the reader will not only understand the phases of the lifecycle but also have a view under the hood of what tools are most likely to be used first by engineers in this field of security. These chapters will introduce the reader to the tools but will not be exhaustive and really only scratch the surface of whet each tool or technique can do to assist in conducting these types of tests. Many of the tools or techniques have entire books—sometimes many books—devoted to their correct use and application.
I n this way the reader will not only understand the phases of the lifecycle but also have a view under the hood of what tools are most likely to be used first by engineers in this field of security. These chapters will introduce the reader to the tools but will not be exhaustive and really only scratch the surface of whet each tool or technique can do to assist in conducting these types of tests. Many of the tools or techniques have entire books—sometimes many books—devoted to their correct use and application.
Phase 1: Reconnaissance
I n a small room with dim lights, analysts and officers scan and inspect maps of hostile territory. A cross the room others watch television channels across the globe frantically taking notes. The final group in this room prepares a detailed assessment of everything about the target being investigated. While this scenario details what would normally be done in a military reconnaissance of a possible target, however, it is analogous to what
the penetration tester will do during the reconnaissance phase of the penetration testing lifecycle.
This illustrates the type of work done during the reconnaissance phase of the pentesting lifecycle. This phase focuses on learning anything and everything about the network and organization that is the target of the engagement. This is done by searching he I nternet and conducting passive scans of the available connections to the targets network. I n this phase, the tester does not actually penetrate the network defenses but rather identifies and documents as much information bout the target as possible.
the penetration tester will do during the reconnaissance phase of the penetration testing lifecycle.
This illustrates the type of work done during the reconnaissance phase of the pentesting lifecycle. This phase focuses on learning anything and everything about the network and organization that is the target of the engagement. This is done by searching he I nternet and conducting passive scans of the available connections to the targets network. I n this phase, the tester does not actually penetrate the network defenses but rather identifies and documents as much information bout the target as possible.
Phase 2: Scanning
I magine a hilltop deep behind enemy lines, a single soldier crouches hidden among a thicket of bushes and trees. The report being sent back informs others about the location of the camp being observed, the mission of the camp, and types of work that is being done in each building. The report also notes the routes in and out of the camp and types of security that can be seen. The soldier in this example had a mission defined by the analysis conducted during the reconnaissance phase. This is true of the second phase of the penetration testing lifecycle. The tester will use information gained in phase 1 to start actually scanning the targets network and information system. Using tools in this phase, a be er definition of
the network and system infrastructure of the information system will be targeted for exploitation. The information gained in this phase will be used in the exploitation phase.
the network and system infrastructure of the information system will be targeted for exploitation. The information gained in this phase will be used in the exploitation phase.
Phase 3: Exploitation
Four soldiers rush through an open field, the moon is only a sliver and obscured by clouds, however, the soldiers see everything is an eerie green glow. They rush the building slipping through a gap in the fence and then through an open back door. After just moments on the target they are on the way back out with vital information about future troop movements and plans for the coming months. Again this matches what the ethical hacker will do in the exploitation phase. The intent of this phase is to get into the target system and back out with information without being noticed, using system vulnerabilities and proven techniques.
Phase 4: Maintaining Access
Based on drawings provided by the raid team, a group of skilled engineers excavate earth from deep in the tree line under the room that held the vital information taken earlier. The purpose of this tunnel is to provide easy access to the room for continued exploitation of the enemy. This is the same for the tester, once the system is exploited backdoors and rootkits are left on the systems to allow access in the future.
Phase 5: Reporting
The raid team commander stands in front of a group of generals and admirals explaining the details of the raid. Each step is explained in great detail expanding on each detail that allowed the exploitation to take place. The penetration tester too must develop detailed reports to explain each step in the hacking process, vulnerabilities exploited, and systems that were actually compromised. A dditionally in many cases one member of the team,
and sometimes more, may be required to provide a detailed briefing to senior leadership and technical staff of the target information system.
and sometimes more, may be required to provide a detailed briefing to senior leadership and technical staff of the target information system.
Summary
The coming chapters will explain each of these phases in greater detail. Each chapter willprovide information on the basics of the common tools used for each phase. Using the process detailed in the reader will understand the purpose and advantages of phase being explained and the most common tools used in that phase.
